Bug 782922

Summary: Config server should not support neutered oauth POST/PUT requests
Product: [Retired] CloudForms Cloud Engine Reporter: Greg Blomquist <gblomqui>
Component: aeolus-configserverAssignee: Greg Blomquist <gblomqui>
Status: CLOSED ERRATA QA Contact: dgao
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, deltacloud-maint, dmacpher, hbrock, jrd, juwu, mitch, morazi, whayutin
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Originally aeolus-configserver supported neutered OAuth POST/PUT requests. This made it possible for aeolus-conductor to generate OAuth one way and test the automation generated requests another way. This bug fix updates aeolus-configserver so that the body piece of the signature is required when validating the OAuth signature in authentication requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 14:53:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Greg Blomquist 2012-01-18 21:04:26 UTC 
Currently, config server supports two types of oauth requests for PUTs and POSTs

1)  Requests with the oauth signature that includes the entire POST body (including oauth headers)

2)  Requests with the oauth signature that only includes the oauth headers

Originally, this was included to support both the Conductor method of generating oauth PUTs (option#2 above) as well as the test automation suite (option#1 above).

Eventually, we decided that it was categorically wrong to allow option#2 type requests.  The fix for this (on the conductor side) was to replace the ruby RestClient library with the Oauth library (https://bugzilla.redhat.com/show_bug.cgi?id=760592).

However, the fact that config server allowed for option#2 oauth requests hid the fact that conductor generated oauth one way and the test automation generated requests another way.

This bug is to remove the ability for configserver to handle option#2 oauth requests.  This will effectively break the conductor -> config server communication until the fix for bug #760592 is applied and moved to ON_QA.

This bug is counterintuitive in that the fix actually breaks something.  At least until bug #760592 is resolved.

How to reproduce:

1) start with a aeolus-conductor-0.9.0 (or earlier)
2) setup a config server: aeolus-configserver-0.4.5-2 (or earlier)
3) add config server to conductor under provider accounts
4) Launch a simple deployment using that config server

Actual results:

The launch should succeed.

Expected results:

The launch fails and reports a 401 (either in the conductor UI, or in the config server logs) when conductor attempts to POST the configs to config server.
Comment 1 Hugh Brock 2012-01-27 18:02:13 UTC 
Moving to 1.1. This is too invasive to fix this late in the game.
Comment 2 Greg Blomquist 2012-02-01 18:44:07 UTC 
Updating version to 1.0 (found in version)
Comment 3 jrd 2012-07-26 19:42:13 UTC 
PM input required.  Still important enough for 1.1?
Comment 4 Mitch 2012-07-26 20:13:01 UTC 
Yes.  I'll confirm with QE this won't delay anything and get back to everyone.
Comment 5 Greg Blomquist 2012-08-27 18:16:27 UTC 
https://github.com/aeolusproject/audrey/commit/f6f514466ed5160144998492c1a9ef48070be309
Comment 7 dgao 2012-09-18 20:50:55 UTC 
Verified w/ 

aeolus-configserver-0.4.10-2.el6cf.noarch
aeolus-conductor-0.13.7-1.el6cf.noarch
Comment 9 errata-xmlrpc 2012-12-04 14:53:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-1516.html